The DebuggerPattern SEH Saves rule detects potential adversarial use of Structured Exception Handling (SEH) chain manipulation to bypass debuggers and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify advanced persistence or evasion tactics that may indicate a sophisticated threat actor’s presence.
YARA Rule
rule DebuggerPattern__SEH_Saves : AntiDebug DebuggerPattern {
meta:
weight = 1
Author = "naxonez"
reference = "https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara"
strings:
$ = {64 ff 35 00 00 00 00}
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A system administrator is using Process Explorer to debug a process for performance tuning.
Filter/Exclusion: process.name != "Process Explorer"
Scenario: A scheduled job runs PsExec to remotely execute a script that temporarily triggers a debugger pattern.
Filter/Exclusion: process.name != "PsExec.exe" or parent_process.name != "schtasks.exe"
Scenario: A developer is using Visual Studio to debug a service that handles SEH exceptions during normal operation.
Filter/Exclusion: process.name != "devenv.exe" or process.name != "VisualStudio.exe"
Scenario: A security tool like Procmon is being used to monitor file system activity, which may inadvertently trigger the debugger pattern.
Filter/Exclusion: process.name != "Procmon.exe"
Scenario: A system update or patching task uses PowerShell with debugging enabled to troubleshoot an installation issue.
Filter/Exclusion: process.name != "powershell.exe" or parent_process.name != "msiexec.exe"